Remote desktop software provider TeamViewer has revealed a cyberattack on its corporate network. The company assured that no customer data or product functionality was compromised during the incident.
The attack occurred on June 26 and was detected and mitigated by TeamViewer’s security team in collaboration with cybersecurity experts, according to a statement issued by TeamViewer.
The statement further added that the attack was carried out by the Russian hacking group APT29, also known as Midnight Blizzard. According to Mitre, a non-profit organization that operates federally funded research and development centers for the US government, APT29 is connected to Russia’s Foreign Intelligence Service (SVR).
As per the information available on the TeamViewer website, it provides remote access tools to corporate customers, including DHL and Coca-Cola, has over 600,000 paying customers and facilitates remote access to more than 2.5 billion devices worldwide.
Incident Detection and Response
TeamViewer explained that its security team detected an irregularity in its internal corporate IT environment on June 26, 2024. The company activated its response team and procedures, started investigations with cybersecurity experts, and implemented necessary remediation measures.
TeamViewer emphasized that its internal corporate IT environment is completely independent of the product environment, and there is no evidence to suggest that customer data or the product environment was affected.
TeamViewer’s internal security team and cybersecurity experts discovered that the attackers accessed the system using a compromised standard employee account. Continuous security monitoring detected suspicious activity related to this incident, leading to an immediate incident response action. TeamViewer’s actions involved isolating the compromised account and containing affected systems to prevent the spread of the attack within the network, as per the company’s statement.
Security Measures and Transparency
In a statement, TeamViewer highlighted its strong segregation between the corporate IT environment and the production environment where customer data resides, describing this segregation as a core element of its “defence-in-depth” security strategy designed to prevent unauthorized access.
“We keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments,” TeamViewer said in a statement.
“Security is of utmost importance for us, it is deeply rooted in our DNA. Therefore, we value transparent communication and will continuously update the status of our investigations as new information becomes available.”
TeamViewer
Advisory for Healthcare Sector
After TeamViewer’s team d”detected a cyber “attack, the Health Information Sharing and Analysis Center (H-ISAC), a non-profit organization that provides a central resource for gathering information on cyber threats in the US, issued a bulletin. The bulletin warned the healthcare sector of active TeamViewers exploiting TeamViewer and advised organizations to review logs for unusual remote desktop traffic.
It recommended implementing multi-factor authentication and access controls to mitigate potential risks. H-ISAC also suggested enabling two-factor authentication and using allowlists and blocklists to control who can connect to their devices.